- New features in VMware vSphere 8 - Mon, Dec 5 2022
- Split-brain DNS deployment using Windows Server DNS policy - Wed, Nov 30 2022
- Veeam Backup for Microsoft 365—Why you need to back up your M365 data - Tue, Nov 15 2022
With Windows 11, Microsoft has upped the security requirements out of the box. Therefore, the PC must have a TPM device present to install the operating system. It seems the early release copies of Windows 11 didn't require this. However, the GA media now checks for the TPM module and, if not installed, throws an error.
In general, Windows 11 requires the hardware listed below to run, as documented by Microsoft. It can easily be provided on virtual hardware. Issues installing Windows 11 seem to arise primarily when a TPM device isn't found on older computers or the CPU is outdated. You can read the detailed requirements here.
In both VMware Workstation and VMware vSphere ESXi, there is a process for adding a virtual TPM device to the virtual machine.
VMware Workstation ^
At the time of this writing, VMware Workstation has no option for Windows 11. However, you can choose Windows 10 and later X64 here, and it works fine.
Before adding the virtual TPM device, we must encrypt the VMware Workstation VM. To do this, navigate to the Virtual Machine Settings > Access Control > Encryption section. Click the Encrypt button.
Next, under the Options > Advanced configuration, ensure the virtual machine is configured for UEFI > Enable secure boot.
Now, on the Virtual Machine Settings > Hardware tab, click Add. Choose the Trusted Platform Module, and click Finish.
After encrypting the hard disk and adding the TPM device, you can mount the ISO media and install Windows 11 in VMware Workstation without error.
VMware ESXi ^
Installing Windows 11 on a VMware vSphere ESXi VM is similar to VMware Workstation. When creating a new Windows 11 virtual machine in VMware ESXi, the VM needs to be encrypted to use the virtual TPM. In step 4, Select storage in the new virtual machine wizard, select the Encrypt this virtual machine checkbox.
To encrypt a virtual machine in VMware vSphere, you must have a key provider configured. With VMware vSphere 7 Update 2, you can use the built-in Native Key Provider to support virtual machine encryption without needing a third-party provider.
You can configure/view the integrated Key Provider configuration under the properties of your vCenter Server in vSphere Client > Configure > Key Providers.
To create a new VMware vSphere ESXi Windows 11 VM, in step 6, Select a guest OS, select Microsoft Windows 10 (64-bit). As of VMware vSphere 7.0 Update 3c, as in VMware Workstation, there is still no option for Windows 11. However, choosing Windows 10 works fine.
On the Virtual Hardware tab of the Customize hardware screen, you need to select Add new device > Trusted Platform Module.
Your physical ESXi host does not need to have a physical TPM 2.0 chip installed before you have the option of adding the virtual TPM. However, without a physical TPM 2.0 chip in the ESXi host, you can't implement other security recommendations, such as host attestation.
After finishing the creation of the virtual machine, the installation of Windows 11 begins without error and proceeds as expected.
Installing Windows 11 in VMware Workstation and VMware ESXi is relatively straightforward. You can satisfy the hardware requirements in both platforms by encrypting the hard disks and adding the virtual TPM device.
Subscribe to 4sysops newsletter!
Having a physical TPM device installed in the VMware Workstation or VMware ESXi host is not required to install Windows 11, since VMware can create a virtual vTPM 2.0 device. However, a physical TPM is required for host attestation and other advanced security implementations.